ASafaWeb

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb, the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anonymity means I don’t know which sites are being scanned or who is doing the scanning, but I do know the result of each scan which allows me to aggregate these into...

Do you ever get that sense that [insert culture here] seems to totally dominate everything to the total oblivion of everyone else out there? This sort of thing usually gets people a bit cranky but it turns out I’ve kind of being doing it a little bit myself with ASafaWeb. You see, ASafaWeb works by looking at how a website responds to certain requests then and from those responses it draws some conclusions about how the thing is configured. For example, if ASafaWeb sees a response like the one below, it knows that custom errors have not been configured correctly: It knows there was an error because the source code contains an <h1> tag which begins...

As many of you know by now, I’m particularly fond of AppHarbor. They continue to provide a totally awesome integrated CI and hosting environment, continue to offer a means of taking the service up for free (as well as recently adding some commercial offerings), and most importantly to this post, they still have a great selection of very cool add-ons. One of those add-ons is StillAlive which is awesome for two reasons: Firstly, it’s a local Aussie company and secondly, it actually provides a very valuable service that’s going to help me address a niggling problem with ASafaWeb running on AppHarbor. It’s broken – and I’m the last to know...

When it comes to our personal security, we’ve all grown a bit accustomed to keeping things on the down-low. For example, we cover the keypad on the ATM when entering our PIN and we shred our sensitive documents rather than throwing them straight in the trash. We do this not because any one single piece of information is going to bring us undone, but rather we try not to broadcast anything which may be used to take advantage of us. That PIN could be used with the card to withdraw cash if someone gets their hands on it (or has a skimming device) and that bank statement you throw in the trash could be used by someone as...

I love ELMAH – this is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of minutes away from making session hijacking of your ASP.NET app – and many other exploits – very, very easy. What’s more, vulnerable apps are only a simple Google search away....

Back in September last year we saw the emergence of the padding oracle vulnerability which suddenly got a whole lot of ASP.NET developers very nervous. The real concern with this vulnerability was that there really wasn’t much you could do at the code level beyond a couple of little tweaks – what was really needed was for patches to get installed on servers and fast. The problem back then was that, well, you couldn’t always trust your hosting provider. Hosting providers take all sorts of different shapes; corporate servers managed by IT groups, dedicated machines with dedicated hosts, shared co-tenanted machines and now more and more frequently, cloud based solutions. But one thing remained constant...

I’ve had a lot of conversations with folks recently about web app performance. Often these conversations have been around the assertion that a content distribution network (here forth referred to as a CDN), is something you need to deploy early on in the optimisation process of a website. Personally, I see a CDN as a last resort; it’s what you turn to when all other performance tuning alternatives have been exhausted and you need to eke out that last little bit of latency by moving the content closer to the audience. It’s not a replacement for good website optimisation, it’s an enhancement. One of the main problems with a CDN is simply...

Websites get hacked. Lots. This year alone we’re looking at some absolute whoppers; Sony, EVE Online, Sony, pron.com, Sony, MySQL.com, did I mention Sony? Many times, the gateway to successful website exploits is simple misconfiguration. Custom errors were left off and thus leaked internal code. Or request validation was turned off which opened up an XSS flaw. These risks are often then leveraged to do other nasty stuff. The thing is, many of these are also easily remotely detectable – certainly the bad guys know this. What I mean is that configuration vulnerabilities are apparent just by making the right requests to the website. Not “hacking” it in any sort of malicious context, just...

If we can get over Microsoft’s cheesy catchphrase for a moment, the whole idea of “to the cloud” is actually pretty cool. It’s the promise of taking things that used to be both labour and capital intensive, commoditising them and serving them up on demand. This can very easily sound like PowerPoint presentation rhetoric so let’s move past the warm and fuzzies and actually see it in action. A couple of weeks back I published a screencast as part of my 5 minute wonders series titled From zero to hero with AppHarbor. In that session I took my existing membership-enabled ASP.NET website (itself the subject of a previous 5 minute wonder)...

Let me preface everything I’m about to write by saying this: I am not a designer. I enjoy design, but I tend to hack away at it a bit. Actually I’ve gone a bit to and from in my career moving from pure code roles to front end roles to web roles where you kind of need a bit of everything, and that’s probably where I’m most comfortable now. So treat everything that followers as the designer-by-default comments of a developer :) Fixed or variable No, not interest rates, web page layouts. Somewhere in the design process you need to make a call on whether you fix the width of the page at...